/// <summary> /// Initializes the ES sandbox /// </summary> public SandboxConnectionES(bool isInTestMode = false, bool measureCpuTimes = false) { m_reportQueueLastEnqueueTime = 0; m_esConnectionInfo = new Sandbox.ESConnectionInfo() { Error = Sandbox.SandboxSuccess }; MeasureCpuTimes = measureCpuTimes; IsInTestMode = isInTestMode; var process = System.Diagnostics.Process.GetCurrentProcess(); Sandbox.InitializeEndpointSecuritySandbox(ref m_esConnectionInfo, process.Id); if (m_esConnectionInfo.Error != Sandbox.SandboxSuccess) { throw new BuildXLException($@"Unable to connect to EndpointSecurity sandbox (Code: {m_esConnectionInfo.Error})"); } #if DEBUG ProcessUtilities.SetNativeConfiguration(true); #else ProcessUtilities.SetNativeConfiguration(false); #endif m_workerThread = new Thread(() => StartReceivingAccessReports()); m_workerThread.Name = "EndpointSecurityCallbackProcessor"; m_workerThread.Priority = ThreadPriority.Highest; m_workerThread.IsBackground = true; m_workerThread.Start(); }
/// <summary> /// Initializes the ES sandbox /// </summary> public SandboxConnectionES(bool isInTestMode = false, bool measureCpuTimes = false) { m_reportQueueLastEnqueueTime = 0; m_esConnectionInfo = new Sandbox.ESConnectionInfo() { Error = Sandbox.SandboxSuccess }; MeasureCpuTimes = measureCpuTimes; IsInTestMode = isInTestMode; var process = System.Diagnostics.Process.GetCurrentProcess(); Sandbox.InitializeEndpointSecuritySandbox(ref m_esConnectionInfo, process.Id); if (m_esConnectionInfo.Error != Sandbox.SandboxSuccess) { throw new BuildXLException($@"Unable to connect to EndpointSecurity sandbox (Code: {m_esConnectionInfo.Error})"); } #if DEBUG ProcessUtilities.SetNativeConfiguration(true); #else ProcessUtilities.SetNativeConfiguration(false); #endif m_AccessReportCallback = (Sandbox.AccessReport report, int code) => { if (code != Sandbox.ReportQueueSuccessCode) { var message = "EndpointSecurity event delivery failed with error: " + code; throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency); } // Stamp the access report with a dequeue timestamp report.Statistics.DequeueTime = Sandbox.GetMachAbsoluteTime(); // Update last received timestamp Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks); // Remember the latest enqueue time Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime); // The only way it can happen that no process is found for 'report.PipId' is when that pip is // explicitly terminated (e.g., because it timed out or Ctrl-c was pressed) if (m_pipProcesses.TryGetValue(report.PipId, out var process)) { // if the process is found, its ProcessId must match the RootPid of the report. if (process.ProcessId != report.RootPid) { throw new BuildXLException("The process id from the lookup did not match the file access report process id", ExceptionRootCause.FailFast); } else { process.PostAccessReport(report); } } }; Sandbox.ObserverFileAccessReports(ref m_esConnectionInfo, m_AccessReportCallback, Marshal.SizeOf <Sandbox.AccessReport>()); }